The bill does not define or mention "consumers," despite being intended to protect consumer data. The recently-passed California Consumer Protection Act—which, along with the EU's General Data Protection Regulation, may serve as a benchmark for future federal lawmaking—is similarly unclear in this area.
Any entity that “provides a service that uses the internet” and collects personal data in the process would be subject to the legislation.
The bill's definition of personal data includes electronic identification numbers, routing codes, or any other name or number that could be used alone or in conjunction with any other information to identify an individual.
Under the bill:
- Rights would be established to access and correct records maintained by a covered provider that are not accurate, relevant, timely, or complete as defined by the FTC, while creating a process for deletion of a record.
- The FTC would submit recommendations for privacy requirements for Congress to approve. However, if Congress fails to act on the FTC’s requirements, the Commission would produce new rules based on its recommendations.
Outlook: Though it has attracted the support of certain tech industry groups, the bill is likely to be one of many, with other efforts in the Senate expected to emerge in the upcoming weeks. By failing to specify whether it covers employee data, the bill illustrates the danger to the employer community that data privacy legislation could be enacted without recognizing the critical distinction between consumer data and HR data, where expectations of privacy are significantly different.